Detecting Worms

1. A method of detecting a network worm, comprising: monitoring network traffic among a plurality of network nodes; determining whether the traffic exhibits a characteristic associated with worm propagation, including by: observing that a data communication arrives at a first node; and determining that a substantially similar data communication leaves the first node for one or more second nodes within a prescribed interval after arriving at the first node, indicating a possibility that the first node was infected by a worm; and taking responsive action if it is determined that a portion of the network traffic does exhibit the characteristic associated with worm propagation.

2. A method as recited in claim 1 , further comprising detecting whether the substantially similar data communication propagates from the second node to a third node within the prescribed interval after arriving at the second node.

3. A method as recited in claim 1 , further comprising detecting whether the substantially similar data communication arrives at, and propagates within the prescribed interval after arrival from, a minimum number of nodes in addition to the first node.

4. A method as recited in claim 3 , wherein the minimum number of nodes is configurable.

5. A method as recited in claim 3 , wherein the minimum number of nodes is preconfigured.

6. A method as recited in claim 3 , wherein the minimum number of nodes is different for different types of data communication.

7. A method as recited in claim 1 , wherein the prescribed interval is configurable.

8. A method as recited in claim 1 , wherein the prescribed interval is preconfigured.

9. A method as recited in claim 1 , wherein monitoring network traffic comprises storing data associated with the data communication if the network traffic is determined to exhibit the characteristic associated with worm propagation.

10. A method as recited in claim 9 , wherein the stored data comprises a message digest.

11. A method as recited in claim 9 , wherein the stored data comprises at least a portion of the data communication.

12. A method as recited in claim 9 , wherein monitoring network traffic further comprises using the stored data to identify as related two or more occurrences, observed with respect to separate target nodes, of the data communication or a variant thereof arriving at a target node and propagating from the target node to another node within the prescribed interval after arriving at the target node.

13. A method as recited in claim 1 , wherein the network traffic is monitored in real time.

14. A method as recited in claim 1 , wherein the network traffic comprises historical network data.

15. A method as recited in claim 14 , wherein the historical network data comprises a network traffic recording.

16. A method as recited in claim 14 , wherein the historical network data comprises a summary of network communications.

17. A method as recited in claim 14 , wherein the historical network data comprises NetFlow statistics.

18. A method as recited in claim 1 , wherein the network traffic comprises historical network data communicated and recorded at a time prior to said monitoring being performed.

19. A method as recited in claim 1 , wherein the responsive action comprises sending a report.

20. A method as recited in claim 1 , wherein the responsive action comprises logging information.

21. A method as recited in claim 1 , wherein the responsive action comprises blocking network traffic associated with the data communication or a variant thereof.

22. A method as recited in claim 1 , wherein the responsive action comprises storing further analysis data associated with the data communication.

23. A method as recited in claim 1 , wherein the responsive action comprises processing normally benign network traffic that exhibits the characteristic associated with worm propagation.

24. A method as recited in claim 1 , further comprising processing normally benign network traffic that exhibits the characteristic associated with worm propagation.

25. A system for detecting a network worm, comprising: a processor configured to: monitor network traffic among a plurality of network nodes; determine whether the traffic exhibits a characteristic associated with worm propagation, including by: observing that a data communication arrives at a first node; and determining that a substantially similar data communication leaves the first node for one or more second nodes within a prescribed interval after arriving at the first node, indicating a possibility that the first node was infected by a worm; and take responsive action if it is determined that a portion of the network traffic does exhibit the characteristic associated with worm propagation; and a memory configured to store data associated with the network traffic.

26. A system as recited in claim 25 , wherein the system comprises a device associated with a network with which the network traffic is associated.

27. A system as recited in claim 26 , wherein the device comprises a switch.

28. A system as recited in claim 26 , wherein the device comprises a router.

29. A system as recited in claim 26 , wherein the device comprises a firewall.

30. A computer readable storage medium for detecting a network worm, the computer readable storage medium storing computer instructions for: monitoring network traffic among a plurality of network nodes; determining whether the traffic exhibits a characteristic associated with worm propagation, including by: observing that a data communication arrives at a first node; and determining that a substantially similar data communication leaves the first node for one or more second nodes within a prescribed interval after arriving at the first node, indicating a possibility that the first node was infected by a worm; and taking responsive action if it is determined that a portion of the network traffic does exhibit the characteristic associated with worm propagation.